SANS ISC InfoSec Forums

A reader sent in details of a incident that is currently being investigated in their environment. (Thank you Peter for sharing! ) It appears to be a slick yet elaborate scam to divert a customer payment to the scammers. It occurs when the scammer attempts to slip into an email conversation and go undetected in order to channel an ordinary payment for service or goods into his own coffers.

Here is a simple breakdown of the flow:

Supplier sends business email to customer, email mentions a payment has been received and asks when will next payment arrive.

Scammer intercepts and slightly alters the email.

The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it:

"KIndly inform when payment shall be made so i can provide you with our offshore trading account as our account department has just informed us that our regular account is right now under audit and government taxation process as such we cant recieve funds through it our account dept shall be providing us with our offshore trading account for our transactions. Please inform asap so our account department shall provide our offshore trading account for your remittance."

Scammer sets up a fake domain name with similar look and feel. i.e. If the legitimate domain is google.us, then the fake one could be google-us.com.

An email is sent to the Customer from the fake domain indicating the new account info to channel the funds:

"Kindly note that our account department has just informed us that our regular account is right now under audit and government taxation process as such we can't receive funds through it. Our account department has provided us with our Turkey offshore trading account for our transactions. Kindly remit 30% down payment for invoice no. 936911 to our offshore trading account as below;

The Customer is very security conscious and noticed the following red flags to avert the fraud:

- Email was sent at an odd time (off hour for the time zones in question)
- The domain addresses in spoofed email were incorrect. (ie. google-us.com vs. google.us)
- The email contained repeated text which added to the "spammy" feel of it.

This scam was averted by the security consciousness business staff and properly analyzed by talented tech staff. We appreciate them sharing it with us.

The flags that indicate this is elaborate, is the email appeared to be fully intercepted and targeted because of the mentioning of a payment was requested. Also, the fake domain that was created for this incident was created hours before the fraudulent email with the account information was sent. The technical analysis showed the fake domain email was sent from an IP not owned by the supplier or the customer.

This incident is still under investigation and we will provide more obfuscated details as they become available. Please comment and discuss with us if this has happened to your environment and what was done to mitigate and investigate things further.

in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.

This doesn't make any sense. The attacker intercept the email and alters it ("The Customer receives the email seemingly from the Supplier but altered by the Scammer with the following text slipped into it")... Why would the attacker then go through the trouble of registering a fake domain and sending a second email? The attacker could just insert the whole "scam text" right into the intercepted email. Further, if the attacker is in a position to intercept emails, it seems they would have plenty of access to launch much more sophisticated attacked.

Quoting Johannes:in some cases, the e-mails are "intercepted" by forwarding them to a third party (e.g. by adding forwarding rules to gmail accounts). This way, the attacker may learn enough about the pending transactions to craft a convincing email.

If that was the case here, the attacker would not be able to be "altered by the Scammer with the following text slipped into it".

Wouldn't an interception of this kind (prevention of receipt of original e-mail, complete replacement with altered e-mail) indicate a compromise of either the sender or recipient's e-mail servers? Seems to me that this is more than just eavesdropping and spamming an e-mail, otherwise they would have received two e-mails (one altered, one not).

Keep in mind that the investigation is still on going. There are various scenarios that can explain why the fake domain was created. The fake domain was to spoof the Supplier. Just because the email chain of the Customer is breached at some level, it does NOT mean full access to all systems is available to the attacker. A fake domain is an easy way for the attacker to get inserted into the communication (with ease), once the trust with the victim gets established.

We are hoping others had some experience in a similar attack, so that any details shared could assist this incident and the general community.

I have seen the very first version in the wild in August of 2013, it seems a new Nigerian 419 variant:
All the details you have provided is similar to what i have dealt with 5+ cases in India.

According to my Forensic Analysis and Incident Handling, here is the flow how it works:
1>Scammers somehow lure by sending Emails with phishing / Spear phishing links
2>They get their piece of keylogger installed on the PC's of the supplier/customer
3>They keep a tab on transactions like "shipping", "stuffment","vehicle number","Invoice","DHL Tracking"...etc
4>The scammers then create a fake email by registering a similar domain name with "TypoSquatting trick" which looks almost identical/similar, and goes un-noticed for a casual reader.
5>The newly created domain name lies as it is unused, however the FQDN is used for the creation of email id's which are later used for correspondence between the supplier/customer
6>Important key points are that, the TO,CC fields in the Email messages containing the legitimate email id's are also faked and are marked in this process
7>The Body of Email/ Message in the email is so poorly drafted in English, and with Capital letters which are normally not used, so the easy way to catch is to just check for semantic and grammar of the email content, "like every starting alphabet is capitalized".
8>The machines which were infected were managed by centralized AV monitoring tool, which could not detect this.
9>I myself have worked on 3 of these cases, and I have seen employers sacking their own trusted staff, because they were the only ones which dealt with financial trading information within their respective organizations.

I will try to find some more facts from my cases and if possible i will try to provide more insight into it.
we could not obtain a forensically sound image for the cases i handled, but because it was identified very late in December 2013

Another interesting point was, all three of the clients/cases had atleast either of the supplier or customer based at Nigeria/South Africa.

All the concerned staff either at supplier or customer end was identified by name and similar fake email id's with their names were used for further chain of mail exchange.

I cannot say for sure, if they had compromised majority of PC's or turned them into botnets.
however,this is something almost a year old.

What took place is an intercept of the outgoing messages from the source, not the customer.

The batch was copied off from the server by changing the spool directory so it never sends, then used with the new domain from the phishing server or in some cases the actual server that was compromised using standard find and replace UNIX tools.

I am from a Web company from Malaysia designing and hosting (using third party services, i.e Hostgator and our local provider) for manufacturers.

Recently we are getting complains exactly like the nature of this thread and I couldn't find any information on email interception.

Scenario 1 :

1) Our client (Seller) send email to its customer yahoo mail(Buyer) with prices
2) Buyer send back acknowledge email to Seller
3) Buyer then receive an email from Seller with an attached PDF invoice, WHICH THE BANKING DETAILS HAS BEEN ALTERED to some China bank account.
4) The email header clearly shows it is being spoof and it is NOT from the original sender server
5) The "reply to email" field still shows the the Seller email address.

Scenario 2 :
1) Another client (Seller) send email to its customer gmail (Buyer)
2) Along the line, Seller stop receiving replies from Buyer
3) Call up Buyer, Buyer said he is still responding to Seller email (WHICH THE SCAMMER HAVE TOOK OVER!)
4) Seller logs into this webmail (he usually uses outlook) to find a newly added Filtering rule to automatically move the Buyer email to Trash.

Scenario 3 :
1) When Seller forward an to email another account, some random message from China got attached to the email.

We checked with the local email provider and the normal response are spyware, password is not strong, someone internal hacked in. As a web company with a few clients facing the same issue, we do not believe it is some internal job but sophisticated interception is going on and I believe a lot companies are facing this problem.

Can someone please point me to some websites with technical explanation on this? I need to answer our clients.

A similar incident happened to us, we are in an argument with our supplier as an email was intercepted, altered, ie bank details altered, and we paid into a bogus bank account, we were aware they were setting up a new bank account, and confirmed this with them in a reply, which also went to the bogus email address. Our question is, whose email was intercepted?
The supplier sent it to 2 independent emails, one was altered, and was received, the other one which had been "cc" in we later found out had bounce back to the original sender and had been altered.
Is there anyway we can find out the who's email was hacked.

I came across the same type of scam very recently. One party was based in India and the other supplier in China. Somehow the scammer came into the two parties' conversation. He then created a similar domain but on v90.us and changed the bank account details. The bank account was located in Poland. Unfortunately, our client wasn't much security conscious and paid about $20k to the bogus account.

Is there any way to find out what is compromised? The email server or the user's PC or what?? We have been targeted by this type of scam 3 times in the last 4-5 months. Twice of which took place within the last week itself.

I know this thread is several years old, but I feel it worthwhile to add a compromised situation that I recently encountered. (This thread actually helped secure the email accounts again.)

If you encounter persistent email hijacking or intercepted emails, ** make sure your email auto-forwarding settings are not compromised **. This would apply to the recipients' accounts as well.

What happened to us... One of our email accounts was compromised via a successful phishing attempt. We use G Suite / Gmail for our company mail. The scammer set up mail forwarding on the hacked account, so they had a copy of all correspondence sent to that account. Changing the password on the account (which we did immediately) did nothing, since the forwarding was still in place. Very simple hack, and I spent hours on it until I finally encountered this thread.

Details:

1. We received a request to wire money. This by itself wasn't suspect, as we normally do business via wire payments with our overseas suppliers.

2. They quoted previous emails in the reply. Slipstreamed! This made it seem even more legit.

3. They copied all the details of the email recipient list, formatting and all.

4. The scammer used domain names that were very close to our suppliers'. It was off by 1 letter.

5. Sender email was forged; it was the legit email address. But when you hit Reply, it would use the fake domain (set in the reply-to field, not visible in Gmail unless you View Original, or actually hit Reply and inspect the email you're replying to).

We almost wired $40,000 the first time. Actually, the wire was submitted but we were able to cancel it after we realized what happened. The second time, several months later (after changing passwords but not checking the forwarding), it was for a different supplier, but using the exact same tactic. Replies inline with details copied, asking for the wire transfer.